The normal salt uses the realm and principal components, so in realmA the salt is realmAkrbtgtrealmB and in realmB the salt is realmBkrbtgtrealmA. You need to create them without a salt or the same salt.
With the Heimdal kadmin you can add a principal with -key DES-key in hex, which avoids the salt issues. Dave Botsch wrote: > On Wed, Nov 08, 2006 at 02:54:38PM -0500, Ken Hornstein wrote: > >>>So, I know I've got the right password... I can manually kinit >>>krbtgt/[EMAIL PROTECTED] using the supplied cross-realm password -- that >>>works >> >>Okay ... but unless you did some magic, you weren't sending that request >>to realm B, you only sent that to realm A. > > > Right. I've been trying to figure out if there's a way to do this kinit to > realmB with some sort of magic, but no luck so far. It would certainly be a > useful test. > > >> >>Okay, one other thing comes to mind. Is it possible that the default >>key _salts_ are different between the two realms? Do a getprinc on both >>principals in both realms, and make sure the key salts (listed in the enctypes >>after every key) are the same. The keys should also be in the same order >>(although I don't remember if mis-ordering results in this error). When >>I create cross-realm keys, I specify the enctype:salt pairs manually so >>they will match and have the correct ordering. >> > > > I believe they match... well, one of them does at any rate. If I understand > things, on realmA, it's set up with just one enc/salt type where I've got > three > on this end. One of those three is the one. I've tried recreating the > principal > with just the one and no luck. > > > >>--Ken > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
